E66- Oana Ducută, Data Protection Officer, Verifone eCommerce (Romania)
45:43
SUMMARY KEYWORDS
data, privacy, people, data protection officer, data protection, implemented, discussing, company, business, starting, understand, thinking, forgotten, person, departments, law, collect, deletion, compliance, world
SPEAKERS
Debbie Reynolds, Oana Ducuta
Debbie Reynolds 00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds. They call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world for information that businesses need to know now. I have a special guest on my show from Romania, Oana Ducuta. She is the Data Protection Officer for Verifone. In the Ecommerce side of things, she is a tried and true Data Privacy and protection professional. She works on compliance management, and actually, Oana and I had the pleasure of speaking on a panel together. And I can't remember what it was for exactly. But it was fun. I really enjoyed sort of your thoughts and your insights, and you definitely know your stuff around the world. And I would just love to introduce you on the show.
Oana Ducuta 01:18
Thank you. Thank you, Debbie. Thank you for your invitation. I'm delighted to be with you. And it's an honor to be one of your guests. Yes, we met on that panel discussing, I think the standard contractual clauses and the international transfers are one of the hot topics.
Debbie Reynolds 01:39
Absolutely.
Oana Ducuta 01:40
It's been quite a while. But yet, today, I was reading about the new guidelines regarding data transfers and what is the data transfer international data transfer? So either way, after a couple of months, it's still a hot topic.
Debbie Reynolds 01:59
Oh, it is. Well, because it's so difficult. I would love to before we jump in; would love for you to talk about your journey into Data Privacy. I think people are always interested in how you know people like you get into the business, and what struck your interest about this area?
Oana Ducuta 02:25
Definitely, because many people actually want to follow a path and want to be part of the data protection privacy team in a big corporation; it's something though, in their interest, I've started actually with risk, and then jumped into compliance, where Data Privacy was one of our policies that we are actually implementing inside the company. I loved it. It was actually one of my favorite topics back then. And I started to learn a little bit more. What I'm saying is here locally and back then, prior to GDPR. Little things were actually said about Data Privacy, data protection, or how directive 95 was implemented in local legislation. So I've searched more and more internationally found some pretty much good stuff on IABP studied a lot. And I've taken my first certification, which back then was actually I was one of, I think, five people here that got certification. And it was prior to GDPR. What helps a lot, actually, is to understand what compliance with the law means with any law. And I think my background actually helped me back then; what I would recommend to somebody that wants to start a career in data protection is besides understanding the law. Practice the meaning and understanding of the business where they want to work and find a good person that is actually an expert in data protection and try to learn from their practices.
Debbie Reynolds 05:11
That's great advice. I didn't know that. That's wonderful. I had another podcast with a gentleman in the UK recently. And we were talking about the 95 data directive. So because you and I always say, our separate Data Privacy and data protection folks, are kind of people who got into it before GDPR came out, and then after, because before, people, you know, we know that privacy wasn't super top of mind for a lot of companies or really wasn't like C suite issue at that point. And, you know, obviously, companies had to comply with that, but it's received so much more attention. Now, tell me a little bit about maybe misconceptions that people have about privacy when you're working with them. So I think you have a unique perspective. Being in a situation where I guess you have business to business, Data Privacy, and data protection, but then you have a business to consumer, like a ton of that as well. So give me an idea of the kind of misconceptions that people have when working with them about privacy.
Oana Ducuta 06:34
Well, first of all, They're only thinking about the fact that the company can be fined, less about their reputation. So basically, if you’re, many companies are thinking that you know, we can get fined, or how can we be compliant? Can we actually write a voice? And that's it, and things like that. On the other side, how many people didn't actually understand what is GDPR? What are their rights, actually. And while I'm seeing this, I'm thinking about many people are asking, please delete my data, just because they don't want to use that service anymore. But they still have a product, subscription active, for example. So they don't understand the difference between data deletion and the fact that I want to stop using recurrent payments for this service; I want to decide if I want to renew it or not. Also another misconception is about security. You know, they are thinking that if my company has implemented stronger, secure processes, and we are good at securing our employees' data or customers data, if we are now an anti-malware company, antivirus company, or things like that, or if we have implemented antivirus locally, or where, we are compliant. Basically, we know it's not GDPR compliance. And what else I've heard is if we have a data protection officer, that's the best of it. If we have a data protection officer, if we hire one, well, that person will make us compliant.
Debbie Reynolds 09:19
It's a lot more than you know; I think you've hit the nail on the head. I think that's absolutely true. So some people think, okay, we have a policy in place is in writing we have we hire a person who wears his data protection, Data Privacy hat, within the company, we bought new software, and then so we're fine, and we don't have to do anything else. But we know because these are humans. You're protecting data related to the human rights of individuals. It can't be solved by software can't be solved by just writing contracts. It can't be solved by, sort of hiding it, you know, some companies like okay, well I'm so small people are going after these big companies, I don't think that I would like to get the attention of regulators stuff like that. So I think all those are misconceptions that we're seeing sort of all over the world. One thing that you mentioned that I would love to expound upon a bit is the difference, knowing the difference between a right to be forgotten and data deletion. So, in the US, we don't have a right to be forgotten, we do have a right for data deletion, and the right to be forgotten is a kind of a higher level, right? It means that the company has to do more. So deletion, you know, some people get those terms confused, and they're not the same thing. So give me your perspective on the differences between those two?
Oana Ducuta 11:01
Well, definitely, it all starts by looking into what type of data you own as a company mapping all the data that you hold, that you collect, that you transfer, that you what's actually the flow because data deletion is part of the data flow, right? If you're you're collecting the data, you're processing it, and then you must delete it. So when I'm thinking about data deletion, it says equally data retention, and how you implement data retention into practice, you cannot actually store the data for a limited period of time. No, you cannot collect the data with consent, for example, for data subjects from a data subject for a limited period of time, right. Oh, we have seen some good examples is in the guidelines from my DPB that consent must be actually renewed at some period of time. So, data deletion for me means putting into practice that data retention policy and the right to be forgotten actually means starts with how you discuss how transparent you are with your data subject. With your customer, it starts by saying I'm keeping them collecting the data for this purpose, and I will keep the data for as long as it is necessary, but not more than or necessary means that I will map all the data in my inventory and I am actually not making some copies, and I will inform also my data processors to delete the data and so on. The right to be forgotten, as GDPR says, it has some exceptions, right? So, it means a lot to properly understand what are the legal bases for processing the data and how that person understands your legal basis. In my mind, consent might be a legitimate interest, or it might just be a legal requirement. No, maybe you are required to keep the data for counting purposes. But is it mandatory to keep all the data points to store all the data points for accounting purposes? Who is actually accessing your database? Or is it have you implemented some data access requirements internally? Or is it that you know, all your staff has access to the data and things like that? And yeah, nevertheless, we all know that the right to be forgotten, it was way before GDPR. Basically, for Google searches. So it is important on one side for the company to understand that it is applicable for the company, either if you are or not Internet exposed or you are exposing any personal data from your customers. And on the other side, we are discussing or knowing how a person understands his right to be forgotten. Many of them did not properly understand how the data was collected at first sight and why. So it all starts with how transparent you are with your processes as a company.
Debbie Reynolds 15:46
Yeah, that's true. Also, I think when I think about right before that, and, you know, we're passing these new laws say that people have a right to request information about their data. And some of these laws in the US, especially they have like a look back period, which is like 12 months. So beyond that 12 month period, they don't really have an obligation to tell them about what happened 12 months before that, right. So a right to be forgotten, if we had it, would extend beyond those 12 months, I will say, by all the data that you have about the person. So I think that's kind of a big difference. And I don't think we'll ever get a right to be forgotten in the US. But I mean, I'm happy to see the states are starting to pass laws related to data deletion and data retention and start to try to tie data to a purpose, which we know is difficult because it's not as easy as saying, you know, delete this data every year or every, you know, three years or something, you just have to understand why, why you need it and how much you need it. Like you said, if someone had an account with you, had they asked to delete your data, you know, they're exercising their rights, you know, you have to assess as an organization what you need it to keep. So like you said, like the example you gave, well, I'll give another example. Let's say someone wants to delete their account. So they want to terminate their account, they want to terminate kind of that record, but with you, but you probably still from, maybe a cyber security standpoint, need to know that person was a customer at one point, because they may become a customer again, you know, so really thinking about that system, and how you want to implement it and do it in a way that that you collect, you know, maybe it's not important, let's say it's a personal customer, they decide they want to exercise the right to be forgotten. So you would, let's say you forget, like their purchases, they made or whatever. But you wouldn't forget maybe that they were a customer in the past? Is that a good example?
Oana Ducuta 18:10
No, actually, you need to delete everything that you had in the past; if there is no purpose for the future, let's say so. So either way, you have to delete the data if there is no purpose. If you need to keep it for, I don't know, anti-fraud filters or whatever. It's best to use anonymized data. If those filters are only working based on historical data. No, it's no chance there is no chance to keep the data just because, you know, you might need it in the future. So you have to take a look in all your databases and delete it from everywhere.
Debbie Reynolds 19:09
Yeah, yeah. I know that people are, I guess, my example. I was thinking about more like access control; maybe that isn't as applicable. So my access control situation, you may need to know that this person had access previously, and then they won't have access to the future for some reason.
Oana Ducuta 19:33
And I was thinking about access. Well, you know, you might want to keep or actually the interaction with that person. Your response to it is to request because probably, you're going to delete the data from your database, but you need to have a documented way to prove that you responded properly to his request in due time in no more than 30 days as the law requires. So how you're going to prove that if you're deleting everything, and yes, I've seen cases where actually those data subjects are actually asking to delete, also the conversation and you need to explain to them, you know, I'm going to delete data, but I cannot delete the conversation that we have here. Because, you know, I need to prove that I'm compliant. And I have responded, and I have taken action on your request.
Debbie Reynolds 20:51
That's a great example. So tell me, what is it that's happening in the world of data protection, Data Privacy right now, that concerns you the most?
Oana Ducuta 21:06
Well, I'm not going to talk about international data transfers. Because, you know, already, we are discussing a lot about it. And there's a lot of work there. My concern is how actually, everything has gone digital after the COVID-19 pandemic. And yeah, we've looked at how secure are all our connections and stuff like that. But there are some data subjects under the law that were not properly, you know, thought about, and those are the children. Because, you know, schools gone online, during the pandemic, and probably in any other places around the world, but definitely here, locally in Romania as well. There was no consistent way to have those children take their classes online. So each school used whatever tool they wanted to use, or each teacher used whatever online tool they have seen, and they are, those children are not properly protected. And we know the risks that they're their data being exposed can actually trigger. And there aren't any consistent ways for the data protection authorities, or not all the data protection authorities actually have come up with not only guidelines or best practices but also investigations to see how things are going. Going on, their data is exposed. And I've been I have discussed with some, some teachers, and I've seen that you know, children are actually taking their parents' phones, which are not actually properly set up for being used by a child. And they started to use some other tools as well, some other apps, which are not properly set up for kids and all the ways this can actually trigger some, so many risks for those kids. And I'm pretty much concerned about how this will evolve.
Debbie Reynolds 24:22
That's a good point. We see around the world, there are a lot of regulations about children, but then, you know, there is, I think like growing up because, you know, we didn't have the Internet and stuff like that, our parents had more control over, you know, our digital use and stuff that we were you know looking at or using and now kind of with the Internet and you know, tablets and smartphones and then now we're doing this learning thing people are online and doing different things, whether you know whether or not all kids have their own computer, maybe they share a computer with a family member or school mate or something in it. You know, if you're in an educational environment, they have maybe more ways to restrict students. But it's hard because you don't know how people are going online. And your example is a good one; I forgot, I didn't think about it that way. So a lot of kids are using their parents' computers or their parents' phones, and they're not set up to kind of limit their use in a way that needs to be leased to happen.
Oana Ducuta 25:43
Yeah, all right.
Debbie Reynolds 25:45
So let's talk about I just want to jump back in since we did a panel together on international data transfers. This is a topic, you know, for me, it's always been really interesting. People contact me a lot because I've been doing these for, like, over 20 years now. So and I guess there's never a dull moment in, you know, in this area, because as you know, laws can change at any time, you know, a lot, there's a lot of political conversation around families data transfer, so it is just such an ever-evolving situation. And I always tell people, you know, if you want to do privacy or protection, as a profession, like there's a ton of reading to lots and lots of reading lots and lots of opinions, you know, whatever things are passed or not, you just need to know, what the state of play is at any given moment, because it may directly impact your business.
Oana Ducuta 26:53
Yeah, exactly. And so, in a global corporate environment, you must be aware of all the global Data Privacy laws. We are talking about CCPA, we are talking about Brazil, or we are just around the corner with the Indian data protection law. So it's very important to have a proper understanding of all these global laws. Now, plus, you have to have a strong data protection program in place that can actually be the basis for each, each new requirement, because, you know, you might have a new law with some new or recorded some new data subject or rights. But if you don't have a process in place to respond to those, you missed the starting point. So it's, it's pretty much important to implement a stronger Data Protection Program with some strong pillars. And I might recommend starting over with the principles because data protection principles can actually help a lot, help a company a lot to start, their compliance will not make them compliant, obviously. But it's the better, best place to start their compliance. And just thinking about, you know, data minimization, or the purpose of data processing, data deletion we just talked about, or probably the nicest, of all data, data protection by design. If you are starting with these, it's a good start.
Debbie Reynolds 29:09
I'm a very big fan of privacy by design. I'm happy; I was happy to see that that got incorporated into the GDPR. And I'm happy that a lot of people, you know, privacy by design is actually an international standard. And they also, it applies, is being implemented in lots of different industries, and especially so many data-driven industries really need this type of, you know, thinking so I think what I think the change that privacy by design is is forcing, which I like is that it's saying, you know, I think at the past people will say, well, let's collect all this data, then we'll sort out later, like what we're going to do with it or why we need it and stuff like that. So now privacy by design is saying, you know, what is the purpose, you know, think about your purpose before you, before you start touching data before you start doing things with it, you know, have a plan, think it out, you know, think about, you know, think through, you may have looked at a line item basis for data say like, do we need this field? Do we need to know the race of the individual to do this service? Or do we need to know, you know, some other things about people, even though you, you have a technological capability to collect this information, you want to know you as a business is something that you need to collect? So, for me, I always say that you know, data that's collected that has kind of a low business value can have a high business risk because you don't need it; you can't really have a good explanation for why you're collecting it. And then, if something happens to that data, it just causes you more trouble.
Oana Ducuta 31:03
Exactly, exactly. That's it. Just think about security and incident. And if you are exposing that much data, or if you are exposing just one field, it's pretty much quite important. And what Privacy By Design, I'm seeing it actually brought a company is a good collaboration between all the departments and in understanding the data protection, the GDPR, and all this stuff. So we are not only discussing, you know, about how the project manager understands privacy, we are also discussing how it will go collaborate with an engineer guy with a quality assurance engineer or with security officer plus, they will also bring somebody from either no customer service in. So it's a collaboration between all these departments into understanding how privacy needs to be implemented. Here this probably was previously the case for the business requirements, but not for the privacy requirements. Right now. It is so privacy by design, and it's a good, good principle that stays at the bottom of what you are actually building into your privacy program.
Debbie Reynolds 32:56
I agree. So tell me, if you could give a tip or some advice to someone who's working in a corporation in a privacy role? How do you get the cooperation of people in other departments related to privacy? So I think the cool thing about privacy is that you have to talk to everybody. So you have to talk with people at all levels of the organization to make sure they understand. And so I think that makes this role very different, where some other people like say, for if someone is in accounting, they don't necessarily need to talk to someone who's you know, doing production or something. So, because your role needs to be almost like an ambassador in a way. So you're an ambassador for privacy. But what advice would you give to someone who's an organization doing a role like you? What have you found to be successful in being able to have these conversations with different business groups within the organization?
Oana Ducuta 34:11
That's a very good point; you are actually an ambassador, you are discussing with everybody, and on the other side, you are not actually the one that works in all those departments. Right. So the key is to find in each department that person that can actually be your champion; they're your ambassador in that department, and keep regular discussions with that person. And that in that way, you'll have a network of all this, this person in each department that can you can build upon it. And it's good for the accounting department to receive regular communication from the data protection officer to receive best practices that are related to their activity and stuff like that. But you will find out that they will be moral, they will like to have somebody within their department that will help them first of all, understand, you know, this is a privacy issue you need to discuss with the data protection officer. And I think that's a key element, if you're going to know, start your network, find that unique person in each department that can actually help you build a data protection program for each of those functions within the corporate environment.
Debbie Reynolds 36:14
That's probably some of the best advice I've heard from anyone, that makes sense, so have a champion, find someone in these groups that you can have as a champion of, you know, Data Privacy, and if they understand it, well, they will be able to know as the team is working on something when Data Privacy or data protection issue raises to the level that they need to involve you. So it's kind of a two-way street. So as you communicate with these groups about, you know, data privacy, the data protection on a regular basis, and then having that buy-in from champions who can say, Okay, well, we're starting this new thing. And we're thinking about let's try to bring in, you know, the Data Protection Officer so that they can have these conversations. You do have challenges, and I'm sure this happens in every organization. Okay, so it's not even specific to data protection. So there are always people in organizations who feel like they don't want to share information. So they want to hoard information, and they don't want to be able to have these conversations. So I guess it'd be the opposite of champions. Within organizations, how do you deal with situations where maybe you have departments where they don't want to be forthcoming? Because they feel like maybe the work that you're doing may interfere with the things they want to.
Oana Ducuta 37:57
Oh, a good question that has never been asked; oh, well, I think oh, definitely will help a lot to have the tone from the top right. To have your executive team talking about privacy. So not only do you as a DPO need to communicate messages regarding compliance needs, how we as an organization are managing our compliance with the law. But this needs to be discussed and talked about, and those messages need to start from the top right, from the executive team. And definitely, they will; you'll have a lot of this kind of issues inside if the tone from the top is not the good one, right. Secondly, awareness, probably the best, but not that kind of awareness, meaning standard GDPR training where you are putting there some definitions, what personal data and stuff like that and you are deploying it within the company now each try to implement some tailored materials for each of those departments. It's best because, you know, you will have those kind of interactions where they were going to say, you're with the GDPR, you're going to stop a project. Only in those cases were people didn't understand how GDPR is actually implemented, how what's actually GDPR saying, because they have some misconceptions about GDPR stuff In all the projects and innovations, so on. So tailored materials, tailored training, awareness. And the third item I was thinking about, it will probably be best to ask the proper questions when, when you are discussing a project, this comes with experience, actually. Because, definitely, you're not going to know from the beginning what to ask, experienced, not only on the legal side but also on the business side. So that's why I'm recommending everyone, to everyone that wants to start a career, just, first of all, understand the business. Because if you are not understanding what that company is doing, you're not gonna actually address the proper questions right in; you're not going to help them with the proper guidelines.
Debbie Reynolds 41:15
That's great advice. Excellent advice. Well, Oana, this is great. So if it were the world according to Oana, and we did everything that you said, What would be your wish for Data Privacy or data protection anywhere in the world in any facet of, you know, business life technology?
Oana Ducuta 41:45
Well, let's start by being transparent with our data subjects. But first of all, using plain language, let them understand, not with a lot of information that there not going to read. But with some key points that, you know, you as a person would like to be offered with. So when you are starting using a service or starting an account or stuff like that—so being transparent in a meaningful way.
Debbie Reynolds 42:36
That's great advice, and you give us some really, really good executive advice. That's very important. I agree. I want to see in the future, less, you know, 80-page privacy policies, I want to see more simple terms, because, you know, you're dealing with humans, and you're dealing with humans at all levels, you know, so being able to explain what you're doing, in simple ways will not only help your customers have more trust in you, it will help you as a business be able to, to drive better because people feel like you're not trying to hide something. They're giving me all information I need. And actually trust, you know, for companies that don't have trust, people share less with them. So if company individuals trust you, they'll share more with you.
Oana Ducuta 43:39
Exactly, exactly. Because probably, we are all used to those cookie banners. And missed on the European side. And I guess we are selecting actually the top accept or reject the cookies based on the trust we have with that company, so yeah.
Debbie Reynolds 44:06
Very important, very important dialog. So well, thank you so much for being on the show. This was an excellent excellent discussion. And I really like what you're doing, you have really a lot of deep knowledge, obviously, on protection, but also you're a very smart executive. So all those tidbits that you gave are excellent advice for people who are trying to find their way, you know, gets shareholder or stakeholder buy-in and you know, be able to prosper in their, you know, Data Privacy data protection career.
Oana Ducuta 44:48
Thank you, Debbie. Thank you once again for your invitation. It was an honor being on your show. So, thank you.
Debbie Reynolds 44:55
Thank you so much, and we'll talk soon. Keep in touch.